PXEboot 0xc000000f - PKI certificate issue (CRL)

[Steve_BE]

Hello

Running SCCM2012 SP1 with an MP/DP in a datacenter and a DP in 3 local offices. All has been working fine since the beginning mostly thanks to the guides here.
But since this monday when deploying new laptops, I get an error message when PXE booting:

 

Recovery
Your PC needs to be repaired
The Boot configuration Data for your PC is missing or contains errors
File:\boot\bcd
Error code: 0xc000000f

 

 

Checking the logs on the local DP where I reside i see the following:

 

[TSMESSAGING] AsyncCallback(): WINHTTP_CALLBACK_STATUS_SECURE_FAILURE Encountered SMSPXE 4/25/2013 11:50:20 AM 3416 (0x0D58)
[TSMESSAGING] : dwStatusInformationLength is 4
SMSPXE 4/25/2013 11:50:20 AM 3416 (0x0D58)
[TSMESSAGING] : *lpvStatusInformation is 0x1
SMSPXE 4/25/2013 11:50:20 AM 3416 (0x0D58)
[TSMESSAGING] : WINHTTP_CALLBACK_STATUS_FLAG_CERT_REV_FAILED is set
SMSPXE 4/25/2013 11:50:20 AM 3416 (0x0D58)
[TSMESSAGING] AsyncCallback(): ----------------------------------------------------------------- SMSPXE 4/25/2013 11:50:20 AM 3416 (0x0D58)
sending with winhttp failed; 80072f8f SMSPXE 4/25/2013 11:50:20 AM 3416 (0x0D58)
Failed to get information for MP: https://ASPSCCML01.company.com. 80072f8f. SMSPXE 4/25/2013 11:50:20 AM 3416 (0x0D58)
PXE::MP_InitializeTransport failed; 0x80004005 SMSPXE 4/25/2013 11:50:20 AM 3416 (0x0D58)
PXE::MP_ReportStatus failed; 0x80004005 SMSPXE 4/25/2013 11:50:20 AM 3416 (0x0D58)
PXE Provider failed to process message.
Unspecified error (Error: 80004005; Source: Windows) SMSPXE 4/25/2013 11:50:20 AM 3416 (0x0D58)
6C:3B:E5:F6:F8:AE, A482B6CF-43F9-11E2-830B-A064B90000ED: Not serviced. SMSPXE 4/25/2013 11:50:20 AM 3416 (0x0D58)

 

WINHTTP_CALLBACK_STATUS_FLAG_CERT_REV_FAILED points to the CRL validation but it was not checked in the configuration.

So I did check it, save, rebooted the server, uncheck it again, reboot again … to no avail

 

Next error I checked is :

Failed to get information for MP: https://ASPSCCML01.company.com. 80072f8f.

Error code 80072f8f would means ERROR_INTERNET_SECURE_FAILURE ErrorClockWrong
But all servers and client shows the correct time (all servers/clients (bios) configured with GMT+1)

 

Next I tried the following:

 

• I redistributed the boot image (x64 - did not recreate them).
• I exported the root CA chain from the internal root CA and re assigned it in \Administration\Overview\Site Configuration\Sites - Properties - tab 'Client Computer configuration'
• I requested a new web server certificate for use in IIS (as described at http://technet.microsoft.com/en-us/library/gg682023.aspx#BKMK_webserver2008_cm2012)
• I requested a new DP certificate, exported it with the private key and configured it in \Administration\Overview\Site Configuration\Servers and Site System Roles - distribution point - properties - tab 'General and import the certificate (again as described at http://technet.microsoft.com/en-us/library/gg682023.aspx#BKMK_clientdistributionpoint2008_cm2012)

I then went back to the original error: WINHTTP_CALLBACK_STATUS_FLAG_CERT_REV_FAILED and from http://msdn.microsoft.com/en-us/library/aa383917(VS.85).aspx it would means:

Certification revocation checking has been enabled, but the revocation check failed to verify whether a certificate has been revoked. The server used to check for revocation might be unreachable

 

I thus checked further the PKI implementation and in AD Sites and services -> /Services/Public Key Services/CDP/ASP-SELLROOTCA/Company Internal ROOT CA -> Properties -> Tab object
And I see that the last Modified date is from Monday 22/04 (Created 24/9/2010, Modified 22/04/2013 - USNs current 12017227, Original 17735)

 

This coincide with the time OSD didn’t work anymore
Here I am stuck on how to resolve this: Either have SCCM not check the CRL (as I believe we configured it) or have CRL access available when PXE booting.

 

Any hint / suggestion is welcome

Steve